From: Omkar Patil <[email protected]> In libinput before 1.30.4 and 1.31.x before 1.31.3, libinput-device-group unescaped phys output can inject udev properties leading to arbitrary root code execution
Reference: [https://nvd.nist.gov/vuln/detail/CVE-2026-50292] Signed-off-by: Omkar Patil <[email protected]> Signed-off-by: Richard Purdie <[email protected]> (cherry picked from commit c8dea5c76f9a0386050345e9638a282fe4ec4bfe) Signed-off-by: Yoann Congal <[email protected]> --- .../wayland/libinput/CVE-2026-50292.patch | 79 +++++++++++++++++++ .../wayland/libinput_1.30.2.bb | 1 + 2 files changed, 80 insertions(+) create mode 100644 meta/recipes-graphics/wayland/libinput/CVE-2026-50292.patch diff --git a/meta/recipes-graphics/wayland/libinput/CVE-2026-50292.patch b/meta/recipes-graphics/wayland/libinput/CVE-2026-50292.patch new file mode 100644 index 00000000000..d2421aab105 --- /dev/null +++ b/meta/recipes-graphics/wayland/libinput/CVE-2026-50292.patch @@ -0,0 +1,79 @@ +From 76f0d8a7f57e2868882864b4611281f12f704b55 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer <[email protected]> +Date: Mon, 1 Jun 2026 10:48:24 +1000 +Subject: [PATCH] libinput-device-group: sanitize phys before printing it + +A malicious uinput device could set the phys value (via UI_SET_PHYS) +to contain a '\n'. When the value is printed as part of the device group +the udev rules will interpret it as separate property. + +Depending on the property this can cause local privilege escalation. + +Closes #1296 + +Found-by: Csome +Part-of: <https://gitlab.freedesktop.org/libinput/libinput/-/merge_requests/1487> + +CVE: CVE-2026-50292 +Upstream-Status: Backport [https://gitlab.freedesktop.org/libinput/libinput/-/commit/76f0d8a7f57e2868882864b4611281f12f704b55] + +Signed-off-by: Omkar Patil <[email protected]> +--- + udev/libinput-device-group.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/udev/libinput-device-group.c b/udev/libinput-device-group.c +index cdb38c0b..f9188406 100644 +--- a/udev/libinput-device-group.c ++++ b/udev/libinput-device-group.c +@@ -107,7 +107,8 @@ wacom_handle_ekr(struct udev_device *device, + + udev_list_entry_foreach(entry, udev_enumerate_get_list_entry(e)) { + struct udev_device *d; +- const char *path, *phys; ++ _autofree_ char *phys = NULL; ++ const char *path; + const char *pidstr, *vidstr; + int pid, vid, dist; + +@@ -122,7 +123,7 @@ wacom_handle_ekr(struct udev_device *device, + + vidstr = udev_device_get_property_value(d, "ID_VENDOR_ID"); + pidstr = udev_device_get_property_value(d, "ID_MODEL_ID"); +- phys = udev_device_get_sysattr_value(d, "phys"); ++ phys = str_sanitize(udev_device_get_sysattr_value(d, "phys")); + + if (vidstr && pidstr && phys && safe_atoi_base(vidstr, &vid, 16) && + safe_atoi_base(pidstr, &pid, 16) && vid == VENDOR_ID_WACOM && +@@ -134,7 +135,7 @@ wacom_handle_ekr(struct udev_device *device, + best_dist = dist; + + free(*phys_attr); +- *phys_attr = safe_strdup(phys); ++ *phys_attr = steal(&phys); + } + } + +@@ -151,7 +152,8 @@ main(int argc, char **argv) + int rc = 1; + struct udev *udev = NULL; + struct udev_device *device = NULL; +- const char *syspath, *phys = NULL; ++ _autofree_ char *phys = NULL; ++ const char *syspath = NULL; + const char *product; + int bustype, vendor_id, product_id, version; + char group[1024]; +@@ -175,8 +177,7 @@ main(int argc, char **argv) + * bit and use the remainder as device group identifier */ + while (device != NULL) { + struct udev_device *parent; +- +- phys = udev_device_get_sysattr_value(device, "phys"); ++ phys = str_sanitize(udev_device_get_sysattr_value(device, "phys")); + if (phys) + break; + +-- +GitLab + diff --git a/meta/recipes-graphics/wayland/libinput_1.30.2.bb b/meta/recipes-graphics/wayland/libinput_1.30.2.bb index efd51809d8e..96531e8c54e 100644 --- a/meta/recipes-graphics/wayland/libinput_1.30.2.bb +++ b/meta/recipes-graphics/wayland/libinput_1.30.2.bb @@ -16,6 +16,7 @@ SRC_URI = "git://gitlab.freedesktop.org/libinput/libinput.git;protocol=https;bra file://CVE-2026-35093.patch \ file://CVE-2026-35094.patch \ file://run-ptest \ + file://CVE-2026-50292.patch \ " SRCREV = "042c5e6fd9cc910307027a1522453794b29f2c72"
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#239231): https://lists.openembedded.org/g/openembedded-core/message/239231 Mute This Topic: https://lists.openembedded.org/mt/119897526/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
